Overview and Purpose

[variable: Covered Organization] requires a means to reconstruct and/or review user activities related to operations, procedures, or events occurring on its systems. To accomplish this, a record of activity or “audit trail” of system and application processes and user activity of systems and applications must be maintained. In conjunction with appropriate tools and procedures, audit trails can help information security and IT staff to detect security violations, system performance problems, and flaws in business applications.

Coverage

These procedures apply to all personnel who use, manage, design or implement programs on LSA.

Roles and Responsibilities

Information Security Officer (ISO)

• Prepares policy guidelines on online monitoring and audit trail recording, protecting, reviewing, and reporting
• Reports security breaches or anomalies to the Director, ISO

Supervisor

• Periodically monitors user activity
• Assists the Security Officer and ISO in reconciling audit trail anomalies

Security Officer – [variable: Covered Organization] site

• Periodically monitors online programmer activity
• Ensures audit trail functions are operating and reports are reviewed weekly
• Immediately informs the ISSO if the audit trail contains anomalies or security breaches

Policy

• Ongoing collection and retention of a record of user activities on or with [variable: Covered applications or systems; (may be “All organizational systems”)], including:
  • Log-in attempts
  • Password changes
  • File creations, changes and/or deletions

• Identification and authentication of users at the time of interaction with the system. These access management steps should individually identify users to the degree that user actions can be tracked and users themselves can be held accountable for their actions.

• Periodic review of application programmers’ activities.

• Documentation of the following variables in the audit-trail event record:
  • The type of event
  • The time and date of the event
  • The User ID associated with the event
  • The program or command used to initiate the event

• Weekly review of audit trails by the [variable: Managerial role responsible for this function] or other authorized organization individuals who are not regular users or who do not administer access to the [variable: Covered Organization] system. [variable: Managerial role responsible for oversight of event logs] must review the audit trail monthly.

• Immediate communication of anomalies to appropriate supervisory IT or information security manager(s) for follow-up action.

• Secure storage of [variable: Covered Organization] audit files in an access-controlled room or environment

• Retention of audit files for at least [variable:.Time frame determined by management and/or legal counsel]

Enforcement

Unauthorized personnel are not allowed to see or obtain sensitive data. Gross negligence or willful disclosure leading to illicit exposure of [variable: Covered Organization] information may result in prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal. [variable: Cite relevant laws, policies, or statutes to support enforcement.]

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Related Templates

• Agreement to Protect Sensitive Data (Form)

Procedure Source Document(s)

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)